Configuring Special Actions For Application Inspections (Inspection Policy Map) - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Configuring Special Actions for Application Inspections (Inspection Policy Map)
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo
Configuring Special Actions for Application Inspections
(Inspection Policy Map)
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).
This section includes the following topics:
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
20-6
This command, which is used in the default global policy, is a special CLI shortcut that when used
in a policy map, ensures that the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for port 69 reaches the FWSM, then
the FWSM applies the TFTP inspection; when TCP traffic for port 21 arrives, then the FWSM
applies the FTP inspection. So in this case only, you can configure multiple inspections for the same
class map (with the exception of WAAS inspection, which can be configured with other inspections.
See the
"Incompatibility of Certain Feature Actions" section on page 20-17
about combining actions). Normally, the FWSM does not use the port number to determine the
inspection applied, thus giving you the flexibility to apply inspections to non-standard ports, for
example.
See the
"Default Inspection Policy" section on page 22-4
includes a default global policy that matches the default inspection traffic, and applies common
inspections to the traffic on all interfaces. Not all applications whose ports are included in the match
default-inspection-traffic command are enabled by default in the policy map.
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic. Because the match default-inspection-traffic command
specifies the ports and protocols to match, any ports or protocols in the access list are ignored.
Inspection Policy Map Overview, page 20-7
Chapter 20
Using Modular Policy Framework
for more information
for a list of default ports. The FWSM
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
